The_miro
/
Dotfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Dotfiles/setup/archbaseos-guided-install.sh

348 lines
11 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# archbaseos-guided-install.sh — guided (dialog-based) Arch Linux base installer
#
# If /answerfile.json exists (e.g. embedded via build.sh --preconf), all prompts
# are answered from it. Missing fields fall back to interactive prompts.
set -euo pipefail
############################################
# Helper Functions
############################################
confirm() {
echo "WARNING: This will ERASE ALL DATA on $1"
read -rp "Type YES to continue: " ans
[[ $ans == "YES" ]]
}
ask() {
local prompt=$1
local var
read -rp "$prompt: " var
echo "$var"
}
pause() {
read -rp "Press ENTER to continue..."
}
############################################
# ANSWERFILE
############################################
ANSWERFILE="${ANSWERFILE:-/answerfile.json}"
AF_MODE=false
[[ -f "$ANSWERFILE" ]] && AF_MODE=true
af_get() {
local val
val=$(jq -r "${1} // empty" "$ANSWERFILE" 2>/dev/null || true)
if [[ -z "$val" ]]; then printf '%s' "${2:-}"; else printf '%s' "$val"; fi
}
af_bool() {
local val; val=$(jq -r "${1} // false" "$ANSWERFILE" 2>/dev/null || true)
[[ "$val" == "true" ]] && echo "YES" || echo "NO"
}
get_mac_suffix() {
local mac
mac=$(ip link show 2>/dev/null \
| awk '/^[0-9]+: [^l][^o]/{iface=1} iface && /link\/ether/{print $2; iface=0; exit}')
printf '%s' "${mac//:/}"
}
if $AF_MODE; then
echo "== Arch Linux Guided Installer (answerfile mode) =="
command -v jq &>/dev/null || pacman -Sy --noconfirm jq
else
echo "== Arch Linux FIDO2-Ready Installer =="
fi
############################################
# Begin
############################################
lsblk
if $AF_MODE && [[ -n "$(af_get '.drive')" ]]; then
DRIVE=$(af_get '.drive')
echo "Drive (from answerfile): $DRIVE"
echo "WARNING: All data on $DRIVE will be erased. Proceeding in 5 seconds..."
sleep 5
else
DRIVE=$(ask "Enter install drive (e.g., /dev/sda)")
confirm "$DRIVE" || exit 1
fi
# Required packages
pacman -Syd --noconfirm parted cryptsetup libfido2 pam-u2f systemd-ukify jq
############################################
# Partitioning
############################################
RAM_GB=$(free --giga | awk '/Mem/ {print $2}')
DISK_GB=$(lsblk -dn -o SIZE -b "$DRIVE" | awk '{print int($1/1024/1024/1024)}')
EFI_SIZE=5
SWAP_SIZE=$RAM_GB
ROOT_SIZE=$((DISK_GB - SWAP_SIZE - EFI_SIZE - 1))
if (( ROOT_SIZE < 8 )); then
echo "ERROR: Disk too small for layout."
exit 1
fi
echo "EFI=${EFI_SIZE}G, Root=${ROOT_SIZE}G, Swap=${SWAP_SIZE}G"
parted -s "$DRIVE" mklabel gpt \
mkpart EFI fat32 1MiB "${EFI_SIZE}GiB" \
set 1 esp on \
mkpart ROOT "${EFI_SIZE}GiB" "$((EFI_SIZE + ROOT_SIZE))GiB" \
mkpart SWAP "$((EFI_SIZE + ROOT_SIZE))GiB" 100%
EFI_PART="${DRIVE}1"
ROOT_PART="${DRIVE}2"
SWAP_PART="${DRIVE}3"
mkfs.fat -F32 "$EFI_PART"
mkswap "$SWAP_PART"
swapon "$SWAP_PART"
############################################
# User input
############################################
if $AF_MODE; then
KERNEL=$(af_get '.kernel' 'linux')
RAW_HOSTNAME=$(af_get '.hostname' '')
if [[ -n "$RAW_HOSTNAME" ]]; then
HOSTNAME="${RAW_HOSTNAME}-$(get_mac_suffix)"
else
HOSTNAME="arch"
fi
USERNAME=$(af_get '.username' '')
ENCRYPT_DISK=$(af_bool '.encrypt')
ENABLE_FIDO_ROOT=$(af_bool '.fido2_root')
ENABLE_FIDO_USER=$(af_bool '.fido2_user')
RUN_TUI=$(af_bool '.run_tui')
echo "Kernel: $KERNEL / Hostname: $HOSTNAME / Username: $USERNAME"
echo "Encrypt: $ENCRYPT_DISK / FIDO2 root: $ENABLE_FIDO_ROOT / FIDO2 user: $ENABLE_FIDO_USER"
else
KERNEL=$(ask "Kernel (linux, linux-lts, linux-zen)")
HOSTNAME=$(ask "Hostname")
USERNAME=$(ask "Username")
read -rp "Enable disk encryption? (YES/NO): " ENCRYPT_DISK
ENABLE_FIDO_ROOT="NO"
if [[ "$ENCRYPT_DISK" == "YES" ]]; then
read -rp "Enable FIDO2 for unlocking root? (YES/NO): " ENABLE_FIDO_ROOT
fi
read -rp "Enable FIDO2 for user login? (YES/NO): " ENABLE_FIDO_USER
fi
read -rsp "Password for $USERNAME: " USERPASS; echo
[[ -z "$USERPASS" ]] && { echo "Error: password cannot be empty."; exit 1; }
############################################
# Encryption (optional)
############################################
LUKS_BACKUP_KEY=""
if [[ "$ENCRYPT_DISK" == "YES" ]]; then
echo "Formatting LUKS2 root..."
cryptsetup luksFormat "$ROOT_PART" --type luks2
cryptsetup open "$ROOT_PART" cryptroot
# ── Auto-generate backup LUKS key ─────────────────────────────────────────
LUKS_BACKUP_KEY=$(mktemp /tmp/luks-backup-key.XXXXXX)
dd if=/dev/urandom bs=64 count=1 2>/dev/null | base64 -w0 > "$LUKS_BACKUP_KEY"
echo "Enrolling auto-generated backup LUKS key..."
cryptsetup luksAddKey "$ROOT_PART" "$LUKS_BACKUP_KEY"
if [[ "$ENABLE_FIDO_ROOT" == "YES" ]]; then
echo "Enroll FIDO2 key for LUKS2"
pause
systemd-cryptenroll "$ROOT_PART" --fido2-device=auto --fido2-with-client-pin=no
fi
mkfs.btrfs /dev/mapper/cryptroot
mount /dev/mapper/cryptroot /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
umount /mnt
mount -o subvol=@ /dev/mapper/cryptroot /mnt
mkdir -p /mnt/home
mount -o subvol=@home /dev/mapper/cryptroot /mnt/home
else
echo "Skipping encryption — formatting root directly."
mkfs.btrfs "$ROOT_PART"
mount "$ROOT_PART" /mnt
btrfs subvolume create /mnt/@
btrfs subvolume create /mnt/@home
umount /mnt
mount -o subvol=@ "$ROOT_PART" /mnt
mkdir -p /mnt/home
mount -o subvol=@home "$ROOT_PART" /mnt/home
fi
mkdir -p /mnt/boot
mount "$EFI_PART" /mnt/boot
# Place backup key inside the new system (readable only by root, inside LUKS container)
if [[ -n "$LUKS_BACKUP_KEY" ]]; then
install -m 400 "$LUKS_BACKUP_KEY" /mnt/_LUKS_BACKUP_KEY
rm -f "$LUKS_BACKUP_KEY"
echo "Backup LUKS key written to /_LUKS_BACKUP_KEY in new system."
fi
############################################
# Base System Install
############################################
GPU_INFO=$(lspci | grep -E "VGA|3D" || true)
GPU_PKGS=""
if echo "$GPU_INFO" | grep -qi nvidia; then
GPU_PKGS="nvidia-open"
elif echo "$GPU_INFO" | grep -qi amd; then
GPU_PKGS="xf86-video-amdgpu"
elif echo "$GPU_INFO" | grep -qi intel; then
GPU_PKGS="xf86-video-intel"
fi
# shellcheck disable=SC2086
pacstrap /mnt \
base base-devel "$KERNEL" linux-firmware vim zsh git networkmanager grub efibootmgr \
btrfs-progs cryptsetup libfido2 pam-u2f sudo less jq $GPU_PKGS
genfstab -U /mnt >> /mnt/etc/fstab
############################################
# COPY ANSWERFILE INTO NEW SYSTEM
############################################
if $AF_MODE; then
install -m 644 "$ANSWERFILE" /mnt/answerfile.json
fi
############################################
# CHROOT Configuration
############################################
ROOT_UUID=$(blkid -s UUID -o value "$ROOT_PART")
arch-chroot /mnt /usr/bin/env \
HOSTNAME="$HOSTNAME" \
USERNAME="$USERNAME" \
USERPASS="$USERPASS" \
ENCRYPT_DISK="$ENCRYPT_DISK" \
ENABLE_FIDO_ROOT="$ENABLE_FIDO_ROOT" \
ENABLE_FIDO_USER="$ENABLE_FIDO_USER" \
ROOT_UUID="$ROOT_UUID" \
ROOT_PART="$ROOT_PART" \
/bin/bash <<'CHROOT_EOF'
set -euo pipefail
echo "en_US.UTF-8 UTF-8" > /etc/locale.gen
locale-gen
echo "LANG=en_US.UTF-8" > /etc/locale.conf
ln -sf /usr/share/zoneinfo/Europe/Vienna /etc/localtime
hwclock --systohc
echo "$HOSTNAME" > /etc/hostname
systemctl enable NetworkManager
# Populate /etc/skel before user creation so useradd -m copies everything
echo "Cloning dotfiles into /etc/skel..."
git clone https://git.abdelbaki.eu/The_miro/Dotfiles.git /etc/skel/Dotfiles \
|| echo "Warning: dotfiles clone failed — clone manually after first boot."
mkdir -p /etc/skel/{Desktop,Documents,Downloads,Music,Pictures,Public,Templates,Videos}
useradd -m -G wheel -s /bin/zsh "$USERNAME"
echo "$USERNAME:$USERPASS" | chpasswd
chown -R "$USERNAME:$USERNAME" "/home/$USERNAME"
echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers
# Initramfs
if [[ "$ENCRYPT_DISK" == "YES" && "$ENABLE_FIDO_ROOT" == "YES" ]]; then
sed -i 's/^HOOKS=.*/HOOKS=(base udev systemd autodetect microcode modconf kms consolefont block sd-encrypt lvm2 btrfs filesystems keyboard keymap fsck)/' /etc/mkinitcpio.conf
elif [[ "$ENCRYPT_DISK" == "YES" ]]; then
sed -i 's/^HOOKS=.*/HOOKS=(base udev autodetect microcode modconf kms consolefont block encrypt lvm2 btrfs filesystems keyboard keymap fsck)/' /etc/mkinitcpio.conf
else
sed -i 's/^HOOKS=.*/HOOKS=(base udev autodetect microcode modconf kms consolefont block btrfs filesystems keyboard fsck)/' /etc/mkinitcpio.conf
fi
mkinitcpio -P
# GRUB
if [[ "$ENCRYPT_DISK" == "YES" ]]; then
if [[ "$ENABLE_FIDO_ROOT" == "YES" ]]; then
GRUB_CMDLINE="rd.luks.name=$ROOT_UUID=cryptroot rd.luks.options=fido2-device=auto root=/dev/mapper/cryptroot"
else
GRUB_CMDLINE="cryptdevice=UUID=$ROOT_UUID:cryptroot root=/dev/mapper/cryptroot"
fi
else
GRUB_CMDLINE="root=UUID=${ROOT_UUID} rootflags=subvol=@"
fi
sed -i "s|^GRUB_CMDLINE_LINUX=.*|GRUB_CMDLINE_LINUX=\"$GRUB_CMDLINE\"|" /etc/default/grub
grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB
grub-mkconfig -o /boot/grub/grub.cfg
# User login FIDO2
if [[ "$ENABLE_FIDO_USER" == "YES" ]]; then
echo "Enrolling FIDO2 for user login"
mkdir -p "/home/$USERNAME/.config/Yubico"
chown "$USERNAME:$USERNAME" "/home/$USERNAME/.config/Yubico"
sudo -u "$USERNAME" bash -c "pamu2fcfg >> /home/$USERNAME/.config/Yubico/u2f_keys"
echo "auth required pam_u2f.so" >> /etc/pam.d/system-auth
fi
CHROOT_EOF
############################################
# DOTFILES SETUP (in-chroot, optional)
############################################
if $AF_MODE; then
_DO_TUI="${RUN_TUI}"
else
read -rp "Run dotfiles TUI setup inside chroot now? [YES/no]: " _TUI_IN
_TUI_IN="${_TUI_IN:-YES}"
[[ "${_TUI_IN^^}" == "YES" ]] && _DO_TUI="YES" || _DO_TUI="NO"
fi
if [[ "${_DO_TUI^^}" == "YES" ]]; then
echo "${USERNAME} ALL=(ALL) NOPASSWD: ALL" \
| arch-chroot /mnt tee /etc/sudoers.d/99-setup-nopasswd > /dev/null
echo "Running tui-install.sh as ${USERNAME} inside chroot..."
arch-chroot /mnt runuser -u "${USERNAME}" -- \
bash "/home/${USERNAME}/Dotfiles/setup/tui-install.sh" \
|| echo "Warning: tui-install exited with errors — check ~/dotfiles-install.log in the new system."
arch-chroot /mnt rm -f /etc/sudoers.d/99-setup-nopasswd
fi
# Remove answerfile from new system after setup completes
if $AF_MODE && [[ -f /mnt/answerfile.json ]]; then
rm -f /mnt/answerfile.json
fi
echo "Installation complete!"
echo " umount -R /mnt && reboot"
if [[ "${_DO_TUI^^}" != "YES" ]]; then
echo
echo "After first boot, login as ${USERNAME} and run:"
echo " ~/Dotfiles/setup/tui-install.sh"
fi
if [[ "$ENCRYPT_DISK" == "YES" ]]; then
echo
echo "LUKS backup key stored at /_LUKS_BACKUP_KEY in the new system."
echo "Keep this file secure — it can unlock the root partition."
fi
Reference in New Issue View Git Blame Copy Permalink